From db9712052c4cf36b26872423be29cb772d3bb85e Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 24 Jan 2022 20:14:21 +0100 Subject: [PATCH] Import glibc-2.34-21.fc35 from f35 * Mon Jan 24 2022 Florian Weimer - 2.34-21 - Sync with upstream branch release/2.34/master, commit 3438bbca90895d32825a52e31a77dc44d273c1c1: - Linux: Detect user namespace support in io/tst-getcwd-smallbuff - realpath: Avoid overwriting preexisting error - CVE-2021-3999: getcwd: Set errno to ERANGE for size == 1 - tst-realpath-toolong: Fix hurd build - CVE-2021-3998: realpath: ENAMETOOLONG for result larger than PATH_MAX - stdlib: Fix formatting of tests list in Makefile - stdlib: Sort tests in Makefile - support: Add helpers to create paths longer than PATH_MAX - powerpc: Fix unrecognized instruction errors with recent binutils - x86: use default cache size if it cannot be determined [BZ #28784] - CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) - sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) - CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542) - socket: Add the __sockaddr_un_set function - Disable debuginfod in printer tests [BZ #28757] - Update syscall lists for Linux 5.16 Resolves: #2032279 Resolves: #2032276 --- glibc-upstream-2.34-74.patch | 337 +++++++++++++++++++++++++++++++++++ glibc-upstream-2.34-75.patch | 53 ++++++ glibc-upstream-2.34-76.patch | 165 +++++++++++++++++ glibc-upstream-2.34-77.patch | 33 ++++ glibc-upstream-2.34-78.patch | 82 +++++++++ glibc-upstream-2.34-79.patch | 102 +++++++++++ glibc-upstream-2.34-80.patch | 56 ++++++ glibc-upstream-2.34-81.patch | 64 +++++++ glibc-upstream-2.34-82.patch | 276 ++++++++++++++++++++++++++++ glibc-upstream-2.34-83.patch | 121 +++++++++++++ glibc-upstream-2.34-84.patch | 173 ++++++++++++++++++ glibc-upstream-2.34-85.patch | 109 +++++++++++ glibc-upstream-2.34-86.patch | 26 +++ glibc-upstream-2.34-87.patch | 329 ++++++++++++++++++++++++++++++++++ glibc-upstream-2.34-88.patch | 28 +++ glibc-upstream-2.34-89.patch | 47 +++++ glibc.spec | 38 +++- 17 files changed, 2038 insertions(+), 1 deletion(-) create mode 100644 glibc-upstream-2.34-74.patch create mode 100644 glibc-upstream-2.34-75.patch create mode 100644 glibc-upstream-2.34-76.patch create mode 100644 glibc-upstream-2.34-77.patch create mode 100644 glibc-upstream-2.34-78.patch create mode 100644 glibc-upstream-2.34-79.patch create mode 100644 glibc-upstream-2.34-80.patch create mode 100644 glibc-upstream-2.34-81.patch create mode 100644 glibc-upstream-2.34-82.patch create mode 100644 glibc-upstream-2.34-83.patch create mode 100644 glibc-upstream-2.34-84.patch create mode 100644 glibc-upstream-2.34-85.patch create mode 100644 glibc-upstream-2.34-86.patch create mode 100644 glibc-upstream-2.34-87.patch create mode 100644 glibc-upstream-2.34-88.patch create mode 100644 glibc-upstream-2.34-89.patch diff --git a/glibc-upstream-2.34-74.patch b/glibc-upstream-2.34-74.patch new file mode 100644 index 0000000..15d3b62 --- /dev/null +++ b/glibc-upstream-2.34-74.patch @@ -0,0 +1,337 @@ +commit 705f1e4606aa78f4e861b4e3346725bf5f083a56 +Author: Joseph Myers +Date: Thu Jan 13 22:18:13 2022 +0000 + + Update syscall lists for Linux 5.16 + + Linux 5.16 has one new syscall, futex_waitv. Update + syscall-names.list and regenerate the arch-syscall.h headers with + build-many-glibcs.py update-syscalls. + + Tested with build-many-glibcs.py. + + (cherry picked from commit 4997a533ae4b51ef66a6b68862b7578a7acb82df) + +diff --git a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h +index 74a809561a45edc4..9905ebedf298954c 100644 +--- a/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/aarch64/arch-syscall.h +@@ -62,6 +62,7 @@ + #define __NR_fsync 82 + #define __NR_ftruncate 46 + #define __NR_futex 98 ++#define __NR_futex_waitv 449 + #define __NR_get_mempolicy 236 + #define __NR_get_robust_list 100 + #define __NR_getcpu 168 +diff --git a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h +index 6fc0a23504c3b53d..ee8085be69958b25 100644 +--- a/sysdeps/unix/sysv/linux/alpha/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/alpha/arch-syscall.h +@@ -78,6 +78,7 @@ + #define __NR_fsync 95 + #define __NR_ftruncate 130 + #define __NR_futex 394 ++#define __NR_futex_waitv 559 + #define __NR_futimesat 454 + #define __NR_get_kernel_syms 309 + #define __NR_get_mempolicy 430 +diff --git a/sysdeps/unix/sysv/linux/arc/arch-syscall.h b/sysdeps/unix/sysv/linux/arc/arch-syscall.h +index 0c66762bf868a992..1b626d97705d545a 100644 +--- a/sysdeps/unix/sysv/linux/arc/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/arc/arch-syscall.h +@@ -65,6 +65,7 @@ + #define __NR_fsync 82 + #define __NR_ftruncate64 46 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_get_mempolicy 236 + #define __NR_get_robust_list 100 + #define __NR_getcpu 168 +diff --git a/sysdeps/unix/sysv/linux/arm/arch-syscall.h b/sysdeps/unix/sysv/linux/arm/arch-syscall.h +index c41a864c6d530eb0..96ef8db9368e7de4 100644 +--- a/sysdeps/unix/sysv/linux/arm/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/arm/arch-syscall.h +@@ -90,6 +90,7 @@ + #define __NR_ftruncate64 194 + #define __NR_futex 240 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 326 + #define __NR_get_mempolicy 320 + #define __NR_get_robust_list 339 +diff --git a/sysdeps/unix/sysv/linux/csky/arch-syscall.h b/sysdeps/unix/sysv/linux/csky/arch-syscall.h +index 863ffa3e0cd34d3e..96910154ed6a5c1b 100644 +--- a/sysdeps/unix/sysv/linux/csky/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/csky/arch-syscall.h +@@ -70,6 +70,7 @@ + #define __NR_ftruncate64 46 + #define __NR_futex 98 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_get_mempolicy 236 + #define __NR_get_robust_list 100 + #define __NR_getcpu 168 +diff --git a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h +index 6cf27cd17c1ad0c0..36675fd48e6f50c5 100644 +--- a/sysdeps/unix/sysv/linux/hppa/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/hppa/arch-syscall.h +@@ -87,6 +87,7 @@ + #define __NR_ftruncate64 200 + #define __NR_futex 210 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 279 + #define __NR_get_mempolicy 261 + #define __NR_get_robust_list 290 +diff --git a/sysdeps/unix/sysv/linux/i386/arch-syscall.h b/sysdeps/unix/sysv/linux/i386/arch-syscall.h +index 2512508b7daa8ed2..c86ccbda4681066c 100644 +--- a/sysdeps/unix/sysv/linux/i386/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/i386/arch-syscall.h +@@ -94,6 +94,7 @@ + #define __NR_ftruncate64 194 + #define __NR_futex 240 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 299 + #define __NR_get_kernel_syms 130 + #define __NR_get_mempolicy 275 +diff --git a/sysdeps/unix/sysv/linux/ia64/arch-syscall.h b/sysdeps/unix/sysv/linux/ia64/arch-syscall.h +index 4a0c737369217367..d898bce404955ef0 100644 +--- a/sysdeps/unix/sysv/linux/ia64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/ia64/arch-syscall.h +@@ -74,6 +74,7 @@ + #define __NR_fsync 1051 + #define __NR_ftruncate 1098 + #define __NR_futex 1230 ++#define __NR_futex_waitv 1473 + #define __NR_futimesat 1285 + #define __NR_get_mempolicy 1260 + #define __NR_get_robust_list 1299 +diff --git a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h +index e310eb5075fb22d8..fe721b809076abeb 100644 +--- a/sysdeps/unix/sysv/linux/m68k/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/m68k/arch-syscall.h +@@ -93,6 +93,7 @@ + #define __NR_ftruncate64 194 + #define __NR_futex 235 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 292 + #define __NR_get_kernel_syms 130 + #define __NR_get_mempolicy 269 +diff --git a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h +index b4ecad010c2a6abf..6e10c3661db96a1e 100644 +--- a/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/microblaze/arch-syscall.h +@@ -94,6 +94,7 @@ + #define __NR_ftruncate64 194 + #define __NR_futex 240 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 299 + #define __NR_get_kernel_syms 130 + #define __NR_get_mempolicy 275 +diff --git a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h +index 7e3d138ba969c57b..26a6d594a2222f15 100644 +--- a/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/mips/mips32/arch-syscall.h +@@ -93,6 +93,7 @@ + #define __NR_ftruncate64 4212 + #define __NR_futex 4238 + #define __NR_futex_time64 4422 ++#define __NR_futex_waitv 4449 + #define __NR_futimesat 4292 + #define __NR_get_kernel_syms 4130 + #define __NR_get_mempolicy 4269 +diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h +index 7e9e232e5256bc89..83e0d49c5e3ca1bc 100644 +--- a/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/arch-syscall.h +@@ -86,6 +86,7 @@ + #define __NR_ftruncate 6075 + #define __NR_futex 6194 + #define __NR_futex_time64 6422 ++#define __NR_futex_waitv 6449 + #define __NR_futimesat 6255 + #define __NR_get_kernel_syms 6170 + #define __NR_get_mempolicy 6232 +diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h +index f9e7ef72b0aa1749..d6747c542f63202b 100644 +--- a/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/arch-syscall.h +@@ -78,6 +78,7 @@ + #define __NR_fsync 5072 + #define __NR_ftruncate 5075 + #define __NR_futex 5194 ++#define __NR_futex_waitv 5449 + #define __NR_futimesat 5251 + #define __NR_get_kernel_syms 5170 + #define __NR_get_mempolicy 5228 +diff --git a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h +index afd73fc1daca1fb4..4ee209bc4475ea7d 100644 +--- a/sysdeps/unix/sysv/linux/nios2/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/nios2/arch-syscall.h +@@ -69,6 +69,7 @@ + #define __NR_ftruncate64 46 + #define __NR_futex 98 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_get_mempolicy 236 + #define __NR_get_robust_list 100 + #define __NR_getcpu 168 +diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h +index 0ac2992028eda27e..497299fbc47a708c 100644 +--- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/arch-syscall.h +@@ -92,6 +92,7 @@ + #define __NR_ftruncate64 194 + #define __NR_futex 221 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 290 + #define __NR_get_kernel_syms 130 + #define __NR_get_mempolicy 260 +diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h +index c890bc644e14fe06..e840279f171b10b9 100644 +--- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/arch-syscall.h +@@ -81,6 +81,7 @@ + #define __NR_ftime 35 + #define __NR_ftruncate 93 + #define __NR_futex 221 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 290 + #define __NR_get_kernel_syms 130 + #define __NR_get_mempolicy 260 +diff --git a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h +index cd336d755a42598a..73ef74c005e5a2bb 100644 +--- a/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/riscv/rv32/arch-syscall.h +@@ -60,6 +60,7 @@ + #define __NR_fsync 82 + #define __NR_ftruncate64 46 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_get_mempolicy 236 + #define __NR_get_robust_list 100 + #define __NR_getcpu 168 +diff --git a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h +index 8edd21620bb4ef64..919a79ee91177459 100644 +--- a/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/riscv/rv64/arch-syscall.h +@@ -62,6 +62,7 @@ + #define __NR_fsync 82 + #define __NR_ftruncate 46 + #define __NR_futex 98 ++#define __NR_futex_waitv 449 + #define __NR_get_mempolicy 236 + #define __NR_get_robust_list 100 + #define __NR_getcpu 168 +diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h +index 1a4873f505765617..005c0ada7aab85a1 100644 +--- a/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/s390/s390-32/arch-syscall.h +@@ -91,6 +91,7 @@ + #define __NR_ftruncate64 194 + #define __NR_futex 238 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 292 + #define __NR_get_kernel_syms 130 + #define __NR_get_mempolicy 269 +diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h +index 2af4607c1d36d173..9131fddcc16116e4 100644 +--- a/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/s390/s390-64/arch-syscall.h +@@ -76,6 +76,7 @@ + #define __NR_fsync 118 + #define __NR_ftruncate 93 + #define __NR_futex 238 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 292 + #define __NR_get_kernel_syms 130 + #define __NR_get_mempolicy 269 +diff --git a/sysdeps/unix/sysv/linux/sh/arch-syscall.h b/sysdeps/unix/sysv/linux/sh/arch-syscall.h +index 7b422ce268ba14d0..d8fb041568ecb4da 100644 +--- a/sysdeps/unix/sysv/linux/sh/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/sh/arch-syscall.h +@@ -90,6 +90,7 @@ + #define __NR_ftruncate64 194 + #define __NR_futex 240 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 299 + #define __NR_get_mempolicy 275 + #define __NR_get_robust_list 312 +diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h +index 77c3cc64f95ea7f3..2bc014fe6a1a1f4a 100644 +--- a/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/sparc/sparc32/arch-syscall.h +@@ -92,6 +92,7 @@ + #define __NR_ftruncate64 84 + #define __NR_futex 142 + #define __NR_futex_time64 422 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 288 + #define __NR_get_kernel_syms 223 + #define __NR_get_mempolicy 304 +diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h +index 7ad50bc4ad6cef04..76dbbe595ffe868f 100644 +--- a/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/sparc/sparc64/arch-syscall.h +@@ -82,6 +82,7 @@ + #define __NR_fsync 95 + #define __NR_ftruncate 130 + #define __NR_futex 142 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 288 + #define __NR_get_kernel_syms 223 + #define __NR_get_mempolicy 304 +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 1a74d090b72f4d61..0bc2af37dfa1eeb5 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -21,8 +21,8 @@ + # This file can list all potential system calls. The names are only + # used if the installed kernel headers also provide them. + +-# The list of system calls is current as of Linux 5.15. +-kernel 5.15 ++# The list of system calls is current as of Linux 5.16. ++kernel 5.16 + + FAST_atomic_update + FAST_cmpxchg +@@ -146,6 +146,7 @@ ftruncate + ftruncate64 + futex + futex_time64 ++futex_waitv + futimesat + get_kernel_syms + get_mempolicy +diff --git a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h +index 3ce2a1fcfc1c15f2..28558279b48a1ef4 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/x86_64/64/arch-syscall.h +@@ -78,6 +78,7 @@ + #define __NR_fsync 74 + #define __NR_ftruncate 77 + #define __NR_futex 202 ++#define __NR_futex_waitv 449 + #define __NR_futimesat 261 + #define __NR_get_kernel_syms 177 + #define __NR_get_mempolicy 239 +diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h +index 9e87e89baccc397c..c1ab8ec45e8b8fd3 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h ++++ b/sysdeps/unix/sysv/linux/x86_64/x32/arch-syscall.h +@@ -74,6 +74,7 @@ + #define __NR_fsync 1073741898 + #define __NR_ftruncate 1073741901 + #define __NR_futex 1073742026 ++#define __NR_futex_waitv 1073742273 + #define __NR_futimesat 1073742085 + #define __NR_get_mempolicy 1073742063 + #define __NR_get_robust_list 1073742355 diff --git a/glibc-upstream-2.34-75.patch b/glibc-upstream-2.34-75.patch new file mode 100644 index 0000000..7fada18 --- /dev/null +++ b/glibc-upstream-2.34-75.patch @@ -0,0 +1,53 @@ +commit 03e6e02e6a216cfb913f49b3be80d5088603864f +Author: H.J. Lu +Date: Sun Jan 9 09:06:15 2022 -0800 + + Disable debuginfod in printer tests [BZ #28757] + + With gdb-11.1-6.fc35.x86_64, I got + + FAIL: nptl/test-cond-printers + FAIL: nptl/test-condattr-printers + FAIL: nptl/test-mutex-printers + FAIL: nptl/test-mutexattr-printers + FAIL: nptl/test-rwlock-printers + FAIL: nptl/test-rwlockattr-printers + + $ cat nptl/test-condattr-printers.out + Error: Response does not match the expected pattern. + Command: start + Expected pattern: main + Response: Temporary breakpoint 1 at 0x11d5: file test-condattr-printers.c, line 43. + Starting program: /export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/nptl/test-condattr-printers + + This GDB supports auto-downloading debuginfo from the following URLs: + https://debuginfod.fedoraproject.org/ + Enable debuginfod for this session? (y or [n]) + + Disable debuginfod to avoid GDB messages. This fixes BZ #28757. + + Reviewed-by: Florian Weimer + (cherry picked from commit 7de501f9418bf099e7104b63b0e4423257981b14) + +diff --git a/scripts/test_printers_common.py b/scripts/test_printers_common.py +index 34a3df6e6bd8b363..53b6d30d40ce2622 100644 +--- a/scripts/test_printers_common.py ++++ b/scripts/test_printers_common.py +@@ -161,6 +161,17 @@ def init_test(test_bin, printer_files, printer_names): + printer files. + """ + ++ # Disable debuginfod to avoid GDB messages like: ++ # ++ # This GDB supports auto-downloading debuginfo from the following URLs: ++ # https://debuginfod.fedoraproject.org/ ++ # Enable debuginfod for this session? (y or [n]) ++ # ++ try: ++ test('set debuginfod enabled off') ++ except Exception: ++ pass ++ + # Load all the pretty printer files. We're assuming these are safe. + for printer_file in printer_files: + test('source {0}'.format(printer_file)) diff --git a/glibc-upstream-2.34-76.patch b/glibc-upstream-2.34-76.patch new file mode 100644 index 0000000..3d669c3 --- /dev/null +++ b/glibc-upstream-2.34-76.patch @@ -0,0 +1,165 @@ +commit 5575daae5099e779bb860b566b4d608418a5b832 +Author: Florian Weimer +Date: Mon Jan 17 10:21:34 2022 +0100 + + socket: Add the __sockaddr_un_set function + + Reviewed-by: Siddhesh Poyarekar + (cherry picked from commit e368b12f6c16b6888dda99ba641e999b9c9643c8) + +diff --git a/include/sys/un.h b/include/sys/un.h +index bdbee999806930f4..152afd9fc7426d8b 100644 +--- a/include/sys/un.h ++++ b/include/sys/un.h +@@ -1 +1,13 @@ + #include ++ ++#ifndef _ISOMAC ++ ++/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME. ++ Return 0 on success or -1 on failure (due to overlong PATHNAME). ++ The caller should always use sizeof (struct sockaddr_un) as the ++ socket address length, disregaring the length of PATHNAME. ++ Only concrete (non-abstract) pathnames are supported. */ ++int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) ++ attribute_hidden; ++ ++#endif /* _ISOMAC */ +diff --git a/socket/Makefile b/socket/Makefile +index 375957601024c12e..c2de11d73ca1e324 100644 +--- a/socket/Makefile ++++ b/socket/Makefile +@@ -29,13 +29,17 @@ headers := sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \ + routines := accept bind connect getpeername getsockname getsockopt \ + listen recv recvfrom recvmsg send sendmsg sendto \ + setsockopt shutdown socket socketpair isfdtype opensock \ +- sockatmark accept4 recvmmsg sendmmsg ++ sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set + + tests := \ + tst-accept4 \ + tst-sockopt \ + # tests + ++tests-internal := \ ++ tst-sockaddr_un_set \ ++ # tests-internal ++ + tests-time64 := \ + tst-sockopt-time64 \ + # tests +diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c +new file mode 100644 +index 0000000000000000..0bd40dc34e3d7efc +--- /dev/null ++++ b/socket/sockaddr_un_set.c +@@ -0,0 +1,41 @@ ++/* Set the sun_path member of struct sockaddr_un. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++int ++__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) ++{ ++ size_t name_length = strlen (pathname); ++ ++ /* The kernel supports names of exactly sizeof (addr->sun_path) ++ bytes, without a null terminator, but userspace does not; see the ++ SUN_LEN macro. */ ++ if (name_length >= sizeof (addr->sun_path)) ++ { ++ __set_errno (EINVAL); /* Error code used by the kernel. */ ++ return -1; ++ } ++ ++ addr->sun_family = AF_UNIX; ++ memcpy (addr->sun_path, pathname, name_length + 1); ++ return 0; ++} +diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c +new file mode 100644 +index 0000000000000000..29c2a81afda81b5e +--- /dev/null ++++ b/socket/tst-sockaddr_un_set.c +@@ -0,0 +1,62 @@ ++/* Test the __sockaddr_un_set function. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Re-compile the function because the version in libc is not ++ exported. */ ++#include "sockaddr_un_set.c" ++ ++#include ++ ++static int ++do_test (void) ++{ ++ struct sockaddr_un sun; ++ ++ memset (&sun, 0xcc, sizeof (sun)); ++ __sockaddr_un_set (&sun, ""); ++ TEST_COMPARE (sun.sun_family, AF_UNIX); ++ TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0); ++ ++ memset (&sun, 0xcc, sizeof (sun)); ++ TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0); ++ TEST_COMPARE_STRING (sun.sun_path, "/example"); ++ ++ { ++ char pathname[108]; /* Length of sun_path (ABI constant). */ ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ memset (&sun, 0xcc, sizeof (sun)); ++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0); ++ TEST_COMPARE (sun.sun_family, AF_UNIX); ++ TEST_COMPARE_STRING (sun.sun_path, pathname); ++ } ++ ++ { ++ char pathname[109]; ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ memset (&sun, 0xcc, sizeof (sun)); ++ errno = 0; ++ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1); ++ TEST_COMPARE (errno, EINVAL); ++ } ++ ++ return 0; ++} ++ ++#include diff --git a/glibc-upstream-2.34-77.patch b/glibc-upstream-2.34-77.patch new file mode 100644 index 0000000..752a81a --- /dev/null +++ b/glibc-upstream-2.34-77.patch @@ -0,0 +1,33 @@ +commit 7b5d433fd097b8ed74e458eca33597290e07b974 +Author: Florian Weimer +Date: Mon Jan 17 10:21:34 2022 +0100 + + CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542) + + Processing an overlong pathname in the sunrpc clnt_create function + results in a stack-based buffer overflow. + + Reviewed-by: Siddhesh Poyarekar + (cherry picked from commit 226b46770c82899b555986583294b049c6ec9b40) + +diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c +index 13ced8994e49d4ee..b44357cd88e60599 100644 +--- a/sunrpc/clnt_gen.c ++++ b/sunrpc/clnt_gen.c +@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers, + + if (strcmp (proto, "unix") == 0) + { +- memset ((char *)&sun, 0, sizeof (sun)); +- sun.sun_family = AF_UNIX; +- strcpy (sun.sun_path, hostname); ++ if (__sockaddr_un_set (&sun, hostname) < 0) ++ { ++ struct rpc_createerr *ce = &get_rpc_createerr (); ++ ce->cf_stat = RPC_SYSTEMERROR; ++ ce->cf_error.re_errno = errno; ++ return NULL; ++ } + sock = RPC_ANYSOCK; + client = clntunix_create (&sun, prog, vers, &sock, 0, 0); + if (client == NULL) diff --git a/glibc-upstream-2.34-78.patch b/glibc-upstream-2.34-78.patch new file mode 100644 index 0000000..cfd76f0 --- /dev/null +++ b/glibc-upstream-2.34-78.patch @@ -0,0 +1,82 @@ +commit 1081f1d3dd7c84ba3416b5198d47a4df2b70185d +Author: Martin Sebor +Date: Mon Jan 17 10:21:34 2022 +0100 + + sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) + + Reviewed-by: Siddhesh Poyarekar + (cherry picked from commit ef972a4c50014a16132b5c75571cfb6b30bef136) + +diff --git a/sunrpc/Makefile b/sunrpc/Makefile +index 7e5bbfd951b1e835..a4281b18d04c78e9 100644 +--- a/sunrpc/Makefile ++++ b/sunrpc/Makefile +@@ -65,7 +65,8 @@ shared-only-routines = $(routines) + endif + + tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ +- tst-udp-nonblocking ++ tst-udp-nonblocking tst-bug22542 ++ + xtests := tst-getmyaddr + + ifeq ($(have-thread-library),yes) +@@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so + $(objpfx)tst-udp-garbage: \ + $(common-objpfx)linkobj/libc.so $(shared-thread-library) + ++$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so ++ + else # !have-GLIBC_2.31 + + routines = $(routines-for-nss) +diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c +new file mode 100644 +index 0000000000000000..d6cd79787bdef21d +--- /dev/null ++++ b/sunrpc/tst-bug22542.c +@@ -0,0 +1,44 @@ ++/* Test to verify that overlong hostname is rejected by clnt_create ++ and doesn't cause a buffer overflow (bug 22542). ++ ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ /* Create an arbitrary hostname that's longer than fits in sun_path. */ ++ char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; ++ memset (name, 'x', sizeof name - 1); ++ name [sizeof name - 1] = '\0'; ++ ++ errno = 0; ++ CLIENT *clnt = clnt_create (name, 0, 0, "unix"); ++ ++ TEST_VERIFY (clnt == NULL); ++ TEST_COMPARE (errno, EINVAL); ++ return 0; ++} ++ ++#include diff --git a/glibc-upstream-2.34-79.patch b/glibc-upstream-2.34-79.patch new file mode 100644 index 0000000..84f34f8 --- /dev/null +++ b/glibc-upstream-2.34-79.patch @@ -0,0 +1,102 @@ +commit 6890b8a3ae40ab9d4c96024ab95b04816fcc8a4a +Author: Florian Weimer +Date: Mon Jan 17 11:49:25 2022 +0100 + + CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) + + The sunrpc function svcunix_create suffers from a stack-based buffer + overflow with overlong pathname arguments. + + Reviewed-by: Siddhesh Poyarekar + (cherry picked from commit f545ad4928fa1f27a3075265182b38a4f939a5f7) + +diff --git a/sunrpc/Makefile b/sunrpc/Makefile +index a4281b18d04c78e9..6408ab5c073538e9 100644 +--- a/sunrpc/Makefile ++++ b/sunrpc/Makefile +@@ -65,7 +65,7 @@ shared-only-routines = $(routines) + endif + + tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ +- tst-udp-nonblocking tst-bug22542 ++ tst-udp-nonblocking tst-bug22542 tst-bug28768 + + xtests := tst-getmyaddr + +diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c +index 679fbe9cb69587bd..46f8d16fe94a3d4f 100644 +--- a/sunrpc/svc_unix.c ++++ b/sunrpc/svc_unix.c +@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) + SVCXPRT *xprt; + struct unix_rendezvous *r; + struct sockaddr_un addr; +- socklen_t len = sizeof (struct sockaddr_in); ++ socklen_t len = sizeof (addr); ++ ++ if (__sockaddr_un_set (&addr, path) < 0) ++ return NULL; + + if (sock == RPC_ANYSOCK) + { +@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) + } + madesock = TRUE; + } +- memset (&addr, '\0', sizeof (addr)); +- addr.sun_family = AF_UNIX; +- len = strlen (path) + 1; +- memcpy (addr.sun_path, path, len); +- len += sizeof (addr.sun_family); +- + __bind (sock, (struct sockaddr *) &addr, len); + + if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 +diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c +new file mode 100644 +index 0000000000000000..35a4b7b0b3d34350 +--- /dev/null ++++ b/sunrpc/tst-bug28768.c +@@ -0,0 +1,42 @@ ++/* Test to verify that long path is rejected by svcunix_create (bug 28768). ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++/* svcunix_create does not have a default version in linkobj/libc.so. */ ++compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); ++ ++static int ++do_test (void) ++{ ++ char pathname[109]; ++ memset (pathname, 'x', sizeof (pathname)); ++ pathname[sizeof (pathname) - 1] = '\0'; ++ ++ errno = 0; ++ TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); ++ TEST_COMPARE (errno, EINVAL); ++ ++ return 0; ++} ++ ++#include diff --git a/glibc-upstream-2.34-80.patch b/glibc-upstream-2.34-80.patch new file mode 100644 index 0000000..fec92e2 --- /dev/null +++ b/glibc-upstream-2.34-80.patch @@ -0,0 +1,56 @@ +commit 1d401d1fccb85046402089268b94d86d822070e6 +Author: Aurelien Jarno +Date: Mon Jan 17 19:41:40 2022 +0100 + + x86: use default cache size if it cannot be determined [BZ #28784] + + In some cases (e.g QEMU, non-Intel/AMD CPU) the cache information can + not be retrieved and the corresponding values are set to 0. + + Commit 2d651eb9265d ("x86: Move x86 processor cache info to + cpu_features") changed the behaviour in such case by defining the + __x86_shared_cache_size and __x86_data_cache_size variables to 0 instead + of using the default values. This cause an issue with the i686 SSE2 + optimized bzero/routine which assumes that the cache size is at least + 128 bytes, and otherwise tries to zero/set the whole address space minus + 128 bytes. + + Fix that by restoring the original code to only update + __x86_shared_cache_size and __x86_data_cache_size variables if the + corresponding cache sizes are not zero. + + Fixes bug 28784 + Fixes commit 2d651eb9265d + + Reviewed-by: H.J. Lu + (cherry picked from commit c242fcce06e3102ca663b2f992611d0bda4f2668) + +diff --git a/sysdeps/x86/cacheinfo.h b/sysdeps/x86/cacheinfo.h +index 41d2c81369840ada..63f36877e3f35d99 100644 +--- a/sysdeps/x86/cacheinfo.h ++++ b/sysdeps/x86/cacheinfo.h +@@ -61,14 +61,20 @@ init_cacheinfo (void) + long int data = cpu_features->data_cache_size; + /* Round data cache size to multiple of 256 bytes. */ + data = data & ~255L; +- __x86_data_cache_size_half = data / 2; +- __x86_data_cache_size = data; ++ if (data > 0) ++ { ++ __x86_data_cache_size_half = data / 2; ++ __x86_data_cache_size = data; ++ } + + long int shared = cpu_features->shared_cache_size; + /* Round shared cache size to multiple of 256 bytes. */ + shared = shared & ~255L; +- __x86_shared_cache_size_half = shared / 2; +- __x86_shared_cache_size = shared; ++ if (shared > 0) ++ { ++ __x86_shared_cache_size_half = shared / 2; ++ __x86_shared_cache_size = shared; ++ } + + __x86_shared_non_temporal_threshold + = cpu_features->non_temporal_threshold; diff --git a/glibc-upstream-2.34-81.patch b/glibc-upstream-2.34-81.patch new file mode 100644 index 0000000..3fcbbf4 --- /dev/null +++ b/glibc-upstream-2.34-81.patch @@ -0,0 +1,64 @@ +commit 82b1acd9de9796298a230d7484f26fe9a7756d18 +Author: Paul A. Clarke +Date: Sat Sep 25 09:57:15 2021 -0500 + + powerpc: Fix unrecognized instruction errors with recent binutils + + Recent versions of binutils (with commit + b25f942e18d6ecd7ec3e2d2e9930eb4f996c258a) stopped preserving "sticky" + options across a base `.machine` directive, nullifying the use of + passing "-many" through GCC to the assembler. As a result, some + instructions which were recognized even under older, more stringent + `.machine` directives become unrecognized instructions in that + context. + + In `sysdeps/powerpc/tst-set_ppr.c`, the use of the `mfppr32` extended + mnemonic became unrecognized, as the default compilation with GCC for + 32bit powerpc adds a `.machine ppc` in the resulting assembly, so the + command line option `-Wa,-many` is essentially ignored, and the ISA 2.06 + instructions and mnemonics, like `mfppr32`, are unrecognized. + + The compilation of `sysdeps/powerpc/tst-set_ppr.c` fails with: + Error: unrecognized opcode: `mfppr32' + + Add appropriate `.machine` directives in the assembly to bracket the + `mfppr32` instruction. + + Part of a 2019 fix (commit 9250e6610fdb0f3a6f238d2813e319a41fb7a810) to + the above test's Makefile to add `-many` to the compilation when GCC + itself stopped passing `-many` to the assember no longer has any effect, + so remove that. + + Reported-by: Joseph Myers + (cherry picked from commit ee874f44fd55988808a4a162ef21bfa2cc8dc6f7) + +diff --git a/sysdeps/powerpc/Makefile b/sysdeps/powerpc/Makefile +index 09860ffc0155d765..5e6cb07ce66decfa 100644 +--- a/sysdeps/powerpc/Makefile ++++ b/sysdeps/powerpc/Makefile +@@ -61,11 +61,6 @@ ifeq ($(subdir),misc) + sysdep_headers += sys/platform/ppc.h + tests += test-gettimebase + tests += tst-set_ppr +- +-# This test is expected to run and exit with EXIT_UNSUPPORTED on +-# processors that do not implement the Power ISA 2.06 or greater. +-# But the test makes use of instructions from Power ISA 2.06 and 2.07. +-CFLAGS-tst-set_ppr.c += -Wa,-many + endif + + ifeq ($(subdir),wcsmbs) +diff --git a/sysdeps/powerpc/tst-set_ppr.c b/sysdeps/powerpc/tst-set_ppr.c +index 7684f5d6ea905c60..e80da15320635585 100644 +--- a/sysdeps/powerpc/tst-set_ppr.c ++++ b/sysdeps/powerpc/tst-set_ppr.c +@@ -44,7 +44,8 @@ get_thread_priority (void) + { + /* Read the PPR. */ + ppr_t ppr; +- asm volatile (MFPPR" %0" : "=r"(ppr)); ++ asm volatile (".machine push; .machine power7; "MFPPR" %0; .machine pop" ++ : "=r"(ppr)); + /* Return the thread priority value. */ + return EXTRACT_THREAD_PRIORITY (ppr); + } diff --git a/glibc-upstream-2.34-82.patch b/glibc-upstream-2.34-82.patch new file mode 100644 index 0000000..1f522aa --- /dev/null +++ b/glibc-upstream-2.34-82.patch @@ -0,0 +1,276 @@ +commit 062ff490c1467059f6cd64bb9c3d85f6cc6cf97a +Author: Siddhesh Poyarekar +Date: Tue Jan 18 13:29:36 2022 +0530 + + support: Add helpers to create paths longer than PATH_MAX + + Add new helpers support_create_and_chdir_toolong_temp_directory and + support_chdir_toolong_temp_directory to create and descend into + directory trees longer than PATH_MAX. + + Reviewed-by: Adhemerval Zanella + Signed-off-by: Siddhesh Poyarekar + (cherry picked from commit fb7bff12e81c677a6622f724edd4d4987dd9d971) + +diff --git a/support/temp_file.c b/support/temp_file.c +index c6df641876285bb2..e41128c2d43fe903 100644 +--- a/support/temp_file.c ++++ b/support/temp_file.c +@@ -1,5 +1,6 @@ + /* Temporary file handling for tests. +- Copyright (C) 1998-2021 Free Software Foundation, Inc. ++ Copyright (C) 1998-2022 Free Software Foundation, Inc. ++ Copyright The GNU Tools Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or +@@ -20,15 +21,17 @@ + some 32-bit platforms. */ + #define _FILE_OFFSET_BITS 64 + ++#include + #include + #include + #include + ++#include + #include + #include + #include + #include +-#include ++#include + + /* List of temporary files. */ + static struct temp_name_list +@@ -36,14 +39,20 @@ static struct temp_name_list + struct temp_name_list *next; + char *name; + pid_t owner; ++ bool toolong; + } *temp_name_list; + + /* Location of the temporary files. Set by the test skeleton via + support_set_test_dir. The string is not be freed. */ + static const char *test_dir = _PATH_TMP; + +-void +-add_temp_file (const char *name) ++/* Name of subdirectories in a too long temporary directory tree. */ ++static char toolong_subdir[NAME_MAX + 1]; ++static bool toolong_initialized; ++static size_t toolong_path_max; ++ ++static void ++add_temp_file_internal (const char *name, bool toolong) + { + struct temp_name_list *newp + = (struct temp_name_list *) xcalloc (sizeof (*newp), 1); +@@ -53,12 +62,19 @@ add_temp_file (const char *name) + newp->name = newname; + newp->next = temp_name_list; + newp->owner = getpid (); ++ newp->toolong = toolong; + temp_name_list = newp; + } + else + free (newp); + } + ++void ++add_temp_file (const char *name) ++{ ++ add_temp_file_internal (name, false); ++} ++ + int + create_temp_file_in_dir (const char *base, const char *dir, char **filename) + { +@@ -90,8 +106,8 @@ create_temp_file (const char *base, char **filename) + return create_temp_file_in_dir (base, test_dir, filename); + } + +-char * +-support_create_temp_directory (const char *base) ++static char * ++create_temp_directory_internal (const char *base, bool toolong) + { + char *path = xasprintf ("%s/%sXXXXXX", test_dir, base); + if (mkdtemp (path) == NULL) +@@ -99,16 +115,132 @@ support_create_temp_directory (const char *base) + printf ("error: mkdtemp (\"%s\"): %m", path); + exit (1); + } +- add_temp_file (path); ++ add_temp_file_internal (path, toolong); + return path; + } + +-/* Helper functions called by the test skeleton follow. */ ++char * ++support_create_temp_directory (const char *base) ++{ ++ return create_temp_directory_internal (base, false); ++} ++ ++static void ++ensure_toolong_initialized (void) ++{ ++ if (!toolong_initialized) ++ FAIL_EXIT1 ("uninitialized toolong directory tree\n"); ++} ++ ++static void ++initialize_toolong (const char *base) ++{ ++ long name_max = pathconf (base, _PC_NAME_MAX); ++ name_max = (name_max < 0 ? 64 ++ : (name_max < sizeof (toolong_subdir) ? name_max ++ : sizeof (toolong_subdir) - 1)); ++ ++ long path_max = pathconf (base, _PC_PATH_MAX); ++ path_max = (path_max < 0 ? 1024 ++ : path_max <= PTRDIFF_MAX ? path_max : PTRDIFF_MAX); ++ ++ /* Sanity check to ensure that the test does not create temporary directories ++ in different filesystems because this API doesn't support it. */ ++ if (toolong_initialized) ++ { ++ if (name_max != strlen (toolong_subdir)) ++ FAIL_UNSUPPORTED ("name_max: Temporary directories in different" ++ " filesystems not supported yet\n"); ++ if (path_max != toolong_path_max) ++ FAIL_UNSUPPORTED ("path_max: Temporary directories in different" ++ " filesystems not supported yet\n"); ++ return; ++ } ++ ++ toolong_path_max = path_max; ++ ++ size_t len = name_max; ++ memset (toolong_subdir, 'X', len); ++ toolong_initialized = true; ++} ++ ++char * ++support_create_and_chdir_toolong_temp_directory (const char *basename) ++{ ++ char *base = create_temp_directory_internal (basename, true); ++ xchdir (base); ++ ++ initialize_toolong (base); ++ ++ size_t sz = strlen (toolong_subdir); ++ ++ /* Create directories and descend into them so that the final path is larger ++ than PATH_MAX. */ ++ for (size_t i = 0; i <= toolong_path_max / sz; i++) ++ { ++ int ret = mkdir (toolong_subdir, S_IRWXU); ++ if (ret != 0 && errno == ENAMETOOLONG) ++ FAIL_UNSUPPORTED ("Filesystem does not support creating too long " ++ "directory trees\n"); ++ else if (ret != 0) ++ FAIL_EXIT1 ("Failed to create directory tree: %m\n"); ++ xchdir (toolong_subdir); ++ } ++ return base; ++} + + void +-support_set_test_dir (const char *path) ++support_chdir_toolong_temp_directory (const char *base) + { +- test_dir = path; ++ ensure_toolong_initialized (); ++ ++ xchdir (base); ++ ++ size_t sz = strlen (toolong_subdir); ++ for (size_t i = 0; i <= toolong_path_max / sz; i++) ++ xchdir (toolong_subdir); ++} ++ ++/* Helper functions called by the test skeleton follow. */ ++ ++static void ++remove_toolong_subdirs (const char *base) ++{ ++ ensure_toolong_initialized (); ++ ++ if (chdir (base) != 0) ++ { ++ printf ("warning: toolong cleanup base failed: chdir (\"%s\"): %m\n", ++ base); ++ return; ++ } ++ ++ /* Descend. */ ++ int levels = 0; ++ size_t sz = strlen (toolong_subdir); ++ for (levels = 0; levels <= toolong_path_max / sz; levels++) ++ if (chdir (toolong_subdir) != 0) ++ { ++ printf ("warning: toolong cleanup failed: chdir (\"%s\"): %m\n", ++ toolong_subdir); ++ break; ++ } ++ ++ /* Ascend and remove. */ ++ while (--levels >= 0) ++ { ++ if (chdir ("..") != 0) ++ { ++ printf ("warning: toolong cleanup failed: chdir (\"..\"): %m\n"); ++ return; ++ } ++ if (remove (toolong_subdir) != 0) ++ { ++ printf ("warning: could not remove subdirectory: %s: %m\n", ++ toolong_subdir); ++ return; ++ } ++ } + } + + void +@@ -123,6 +255,9 @@ support_delete_temp_files (void) + around, to prevent PID reuse.) */ + if (temp_name_list->owner == pid) + { ++ if (temp_name_list->toolong) ++ remove_toolong_subdirs (temp_name_list->name); ++ + if (remove (temp_name_list->name) != 0) + printf ("warning: could not remove temporary file: %s: %m\n", + temp_name_list->name); +@@ -147,3 +282,9 @@ support_print_temp_files (FILE *f) + fprintf (f, ")\n"); + } + } ++ ++void ++support_set_test_dir (const char *path) ++{ ++ test_dir = path; ++} +diff --git a/support/temp_file.h b/support/temp_file.h +index f3a7fb6f9ca44d19..a22964c6fa11abd2 100644 +--- a/support/temp_file.h ++++ b/support/temp_file.h +@@ -44,6 +44,15 @@ int create_temp_file_in_dir (const char *base, const char *dir, + returns. The caller should free this string. */ + char *support_create_temp_directory (const char *base); + ++/* Create a temporary directory tree that is longer than PATH_MAX and schedule ++ it for deletion. BASENAME is used as a prefix for the unique directory ++ name, which the function returns. The caller should free this string. */ ++char *support_create_and_chdir_toolong_temp_directory (const char *basename); ++ ++/* Change into the innermost directory of the directory tree BASE, which was ++ created using support_create_and_chdir_toolong_temp_directory. */ ++void support_chdir_toolong_temp_directory (const char *base); ++ + __END_DECLS + + #endif /* SUPPORT_TEMP_FILE_H */ diff --git a/glibc-upstream-2.34-83.patch b/glibc-upstream-2.34-83.patch new file mode 100644 index 0000000..4a37c4d --- /dev/null +++ b/glibc-upstream-2.34-83.patch @@ -0,0 +1,121 @@ +commit 269eb9d930546ce57e83b56c44c430f154684a23 +Author: Siddhesh Poyarekar +Date: Thu Jan 13 10:34:37 2022 +0530 + + stdlib: Sort tests in Makefile + + Put one test per line and sort them. + + Signed-off-by: Siddhesh Poyarekar + (cherry picked from commit 5b766603efa727c236a5f0cdcf09b71ff60b7584) + +diff --git a/stdlib/Makefile b/stdlib/Makefile +index 7c15549cafa8e397..6a1c3580bd1648ee 100644 +--- a/stdlib/Makefile ++++ b/stdlib/Makefile +@@ -65,30 +65,81 @@ aux = grouping groupingwc tens_in_limb + static-only-routines = atexit at_quick_exit + + test-srcs := tst-fmtmsg +-tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ +- test-canon test-canon2 tst-strtoll tst-environ \ +- tst-xpg-basename tst-random tst-random2 tst-bsearch \ +- tst-limits tst-rand48 bug-strtod tst-setcontext \ +- tst-setcontext2 test-a64l tst-qsort testmb2 \ +- bug-strtod2 tst-atof1 tst-atof2 tst-strtod2 \ +- tst-rand48-2 tst-makecontext tst-strtod5 \ +- tst-qsort2 tst-makecontext2 tst-strtod6 tst-unsetenv1 \ +- tst-makecontext3 bug-getcontext bug-fmtmsg1 \ +- tst-secure-getenv tst-strtod-overflow tst-strtod-round \ +- tst-tininess tst-strtod-underflow tst-setcontext3 \ +- tst-strtol-locale tst-strtod-nan-locale tst-strfmon_l \ +- tst-quick_exit tst-thread-quick_exit tst-width \ +- tst-width-stdint tst-strfrom tst-strfrom-locale \ +- tst-getrandom tst-atexit tst-at_quick_exit \ +- tst-cxa_atexit tst-on_exit test-atexit-race \ +- test-at_quick_exit-race test-cxa_atexit-race \ +- test-cxa_atexit-race2 \ +- test-on_exit-race test-dlclose-exit-race \ +- tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ +- tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ +- tst-setcontext6 tst-setcontext7 tst-setcontext8 \ +- tst-setcontext9 tst-bz20544 tst-canon-bz26341 \ +- tst-realpath ++tests := bug-fmtmsg1 \ ++ bug-getcontext \ ++ bug-strtod \ ++ bug-strtod2 \ ++ test-a64l \ ++ test-at_quick_exit-race \ ++ test-atexit-race \ ++ test-bz22786 \ ++ test-canon \ ++ test-canon2 \ ++ test-cxa_atexit-race \ ++ test-cxa_atexit-race2 \ ++ test-dlclose-exit-race \ ++ test-on_exit-race \ ++ testdiv \ ++ testmb \ ++ testmb2 \ ++ testrand \ ++ testsort \ ++ tst-at_quick_exit \ ++ tst-atexit \ ++ tst-atof1 \ ++ tst-atof2 \ ++ tst-bsearch \ ++ tst-bz20544 \ ++ tst-canon-bz26341 \ ++ tst-cxa_atexit \ ++ tst-environ \ ++ tst-getrandom \ ++ tst-limits \ ++ tst-makecontext \ ++ tst-makecontext-align \ ++ tst-makecontext2 \ ++ tst-makecontext3 \ ++ tst-on_exit \ ++ tst-qsort \ ++ tst-qsort2 \ ++ tst-quick_exit \ ++ tst-rand48 \ ++ tst-rand48-2 \ ++ tst-random \ ++ tst-random2 \ ++ tst-realpath \ ++ tst-secure-getenv \ ++ tst-setcontext \ ++ tst-setcontext2 \ ++ tst-setcontext3 \ ++ tst-setcontext4 \ ++ tst-setcontext5 \ ++ tst-setcontext6 \ ++ tst-setcontext7 \ ++ tst-setcontext8 \ ++ tst-setcontext9 \ ++ tst-strfmon_l \ ++ tst-strfrom \ ++ tst-strfrom-locale \ ++ tst-strtod \ ++ tst-strtod-nan-locale \ ++ tst-strtod-nan-sign \ ++ tst-strtod-overflow \ ++ tst-strtod-round \ ++ tst-strtod-underflow \ ++ tst-strtod2 \ ++ tst-strtod5 \ ++ tst-strtod6 \ ++ tst-strtol \ ++ tst-strtol-locale \ ++ tst-strtoll \ ++ tst-swapcontext1 \ ++ tst-thread-quick_exit \ ++ tst-tininess \ ++ tst-unsetenv1 \ ++ tst-width \ ++ tst-width-stdint \ ++ tst-xpg-basename + + tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ + tst-tls-atexit tst-tls-atexit-nodelete diff --git a/glibc-upstream-2.34-84.patch b/glibc-upstream-2.34-84.patch new file mode 100644 index 0000000..e97805a --- /dev/null +++ b/glibc-upstream-2.34-84.patch @@ -0,0 +1,173 @@ +commit 73c362840c4efde45125a6c27bf41726397f4038 +Author: Siddhesh Poyarekar +Date: Thu Jan 13 18:50:55 2022 +0530 + + stdlib: Fix formatting of tests list in Makefile + + Signed-off-by: Siddhesh Poyarekar + Reviewed-by: Florian Weimer + (cherry picked from commit f9dab1b5f23d0fb008a56c7c6c8919adb49d3611) + +diff --git a/stdlib/Makefile b/stdlib/Makefile +index 6a1c3580bd1648ee..9bb5c221e8be3288 100644 +--- a/stdlib/Makefile ++++ b/stdlib/Makefile +@@ -65,81 +65,83 @@ aux = grouping groupingwc tens_in_limb + static-only-routines = atexit at_quick_exit + + test-srcs := tst-fmtmsg +-tests := bug-fmtmsg1 \ +- bug-getcontext \ +- bug-strtod \ +- bug-strtod2 \ +- test-a64l \ +- test-at_quick_exit-race \ +- test-atexit-race \ +- test-bz22786 \ +- test-canon \ +- test-canon2 \ +- test-cxa_atexit-race \ +- test-cxa_atexit-race2 \ +- test-dlclose-exit-race \ +- test-on_exit-race \ +- testdiv \ +- testmb \ +- testmb2 \ +- testrand \ +- testsort \ +- tst-at_quick_exit \ +- tst-atexit \ +- tst-atof1 \ +- tst-atof2 \ +- tst-bsearch \ +- tst-bz20544 \ +- tst-canon-bz26341 \ +- tst-cxa_atexit \ +- tst-environ \ +- tst-getrandom \ +- tst-limits \ +- tst-makecontext \ +- tst-makecontext-align \ +- tst-makecontext2 \ +- tst-makecontext3 \ +- tst-on_exit \ +- tst-qsort \ +- tst-qsort2 \ +- tst-quick_exit \ +- tst-rand48 \ +- tst-rand48-2 \ +- tst-random \ +- tst-random2 \ +- tst-realpath \ +- tst-secure-getenv \ +- tst-setcontext \ +- tst-setcontext2 \ +- tst-setcontext3 \ +- tst-setcontext4 \ +- tst-setcontext5 \ +- tst-setcontext6 \ +- tst-setcontext7 \ +- tst-setcontext8 \ +- tst-setcontext9 \ +- tst-strfmon_l \ +- tst-strfrom \ +- tst-strfrom-locale \ +- tst-strtod \ +- tst-strtod-nan-locale \ +- tst-strtod-nan-sign \ +- tst-strtod-overflow \ +- tst-strtod-round \ +- tst-strtod-underflow \ +- tst-strtod2 \ +- tst-strtod5 \ +- tst-strtod6 \ +- tst-strtol \ +- tst-strtol-locale \ +- tst-strtoll \ +- tst-swapcontext1 \ +- tst-thread-quick_exit \ +- tst-tininess \ +- tst-unsetenv1 \ +- tst-width \ +- tst-width-stdint \ +- tst-xpg-basename ++tests := \ ++ bug-fmtmsg1 \ ++ bug-getcontext \ ++ bug-strtod \ ++ bug-strtod2 \ ++ test-a64l \ ++ test-at_quick_exit-race \ ++ test-atexit-race \ ++ test-bz22786 \ ++ test-canon \ ++ test-canon2 \ ++ test-cxa_atexit-race \ ++ test-cxa_atexit-race2 \ ++ test-dlclose-exit-race \ ++ test-on_exit-race \ ++ testdiv \ ++ testmb \ ++ testmb2 \ ++ testrand \ ++ testsort \ ++ tst-at_quick_exit \ ++ tst-atexit \ ++ tst-atof1 \ ++ tst-atof2 \ ++ tst-bsearch \ ++ tst-bz20544 \ ++ tst-canon-bz26341 \ ++ tst-cxa_atexit \ ++ tst-environ \ ++ tst-getrandom \ ++ tst-limits \ ++ tst-makecontext \ ++ tst-makecontext-align \ ++ tst-makecontext2 \ ++ tst-makecontext3 \ ++ tst-on_exit \ ++ tst-qsort \ ++ tst-qsort2 \ ++ tst-quick_exit \ ++ tst-rand48 \ ++ tst-rand48-2 \ ++ tst-random \ ++ tst-random2 \ ++ tst-realpath \ ++ tst-secure-getenv \ ++ tst-setcontext \ ++ tst-setcontext2 \ ++ tst-setcontext3 \ ++ tst-setcontext4 \ ++ tst-setcontext5 \ ++ tst-setcontext6 \ ++ tst-setcontext7 \ ++ tst-setcontext8 \ ++ tst-setcontext9 \ ++ tst-strfmon_l \ ++ tst-strfrom \ ++ tst-strfrom-locale \ ++ tst-strtod \ ++ tst-strtod-nan-locale \ ++ tst-strtod-nan-sign \ ++ tst-strtod-overflow \ ++ tst-strtod-round \ ++ tst-strtod-underflow \ ++ tst-strtod2 \ ++ tst-strtod5 \ ++ tst-strtod6 \ ++ tst-strtol \ ++ tst-strtol-locale \ ++ tst-strtoll \ ++ tst-swapcontext1 \ ++ tst-thread-quick_exit \ ++ tst-tininess \ ++ tst-unsetenv1 \ ++ tst-width \ ++ tst-width-stdint \ ++ tst-xpg-basename \ ++# tests + + tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ + tst-tls-atexit tst-tls-atexit-nodelete diff --git a/glibc-upstream-2.34-85.patch b/glibc-upstream-2.34-85.patch new file mode 100644 index 0000000..3ea12aa --- /dev/null +++ b/glibc-upstream-2.34-85.patch @@ -0,0 +1,109 @@ +commit f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5 +Author: Siddhesh Poyarekar +Date: Thu Jan 13 11:28:36 2022 +0530 + + realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770] + + realpath returns an allocated string when the result exceeds PATH_MAX, + which is unexpected when its second argument is not NULL. This results + in the second argument (resolved) being uninitialized and also results + in a memory leak since the caller expects resolved to be the same as the + returned value. + + Return NULL and set errno to ENAMETOOLONG if the result exceeds + PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. + + Reviewed-by: Adhemerval Zanella + Signed-off-by: Siddhesh Poyarekar + (cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb) + +diff --git a/stdlib/Makefile b/stdlib/Makefile +index 9bb5c221e8be3288..a4ac30d1f6359561 100644 +--- a/stdlib/Makefile ++++ b/stdlib/Makefile +@@ -109,6 +109,7 @@ tests := \ + tst-random \ + tst-random2 \ + tst-realpath \ ++ tst-realpath-toolong \ + tst-secure-getenv \ + tst-setcontext \ + tst-setcontext2 \ +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c +index 698f9ede25570ef2..7a23a51b3a395eb3 100644 +--- a/stdlib/canonicalize.c ++++ b/stdlib/canonicalize.c +@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved, + + error: + *dest++ = '\0'; +- if (resolved != NULL && dest - rname <= get_path_max ()) +- rname = strcpy (resolved, rname); ++ if (resolved != NULL) ++ { ++ if (dest - rname <= get_path_max ()) ++ rname = strcpy (resolved, rname); ++ else ++ { ++ failed = true; ++ __set_errno (ENAMETOOLONG); ++ } ++ } + + error_nomem: + scratch_buffer_free (&extra_buffer); +diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c +new file mode 100644 +index 0000000000000000..8bed772460b37571 +--- /dev/null ++++ b/stdlib/tst-realpath-toolong.c +@@ -0,0 +1,49 @@ ++/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds ++ NAME_MAX. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define BASENAME "tst-realpath-toolong." ++ ++int ++do_test (void) ++{ ++ char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ char buf[PATH_MAX + 1]; ++ const char *res = realpath (".", buf); ++ ++ /* canonicalize.c states that if the real path is >= PATH_MAX, then ++ realpath returns NULL and sets ENAMETOOLONG. */ ++ TEST_VERIFY (res == NULL); ++ TEST_VERIFY (errno == ENAMETOOLONG); ++ ++ free (base); ++ return 0; ++} ++ ++#include diff --git a/glibc-upstream-2.34-86.patch b/glibc-upstream-2.34-86.patch new file mode 100644 index 0000000..1885d41 --- /dev/null +++ b/glibc-upstream-2.34-86.patch @@ -0,0 +1,26 @@ +commit 8c8a71c85f2ed5cc90d08d82ce645513fc907cb6 +Author: Siddhesh Poyarekar +Date: Mon Jan 24 10:57:09 2022 +0530 + + tst-realpath-toolong: Fix hurd build + + Define PATH_MAX to a constant if it isn't already defined, like in hurd. + + Signed-off-by: Siddhesh Poyarekar + (cherry picked from commit 976db046bc3a3738f69255ae00b0a09b8e77fd9c) + +diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath-toolong.c +index 8bed772460b37571..4388890294374601 100644 +--- a/stdlib/tst-realpath-toolong.c ++++ b/stdlib/tst-realpath-toolong.c +@@ -29,6 +29,10 @@ + + #define BASENAME "tst-realpath-toolong." + ++#ifndef PATH_MAX ++# define PATH_MAX 1024 ++#endif ++ + int + do_test (void) + { diff --git a/glibc-upstream-2.34-87.patch b/glibc-upstream-2.34-87.patch new file mode 100644 index 0000000..a696584 --- /dev/null +++ b/glibc-upstream-2.34-87.patch @@ -0,0 +1,329 @@ +commit 472e799a5f2102bc0c3206dbd5a801765fceb39c +Author: Siddhesh Poyarekar +Date: Fri Jan 21 23:32:56 2022 +0530 + + getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) + + No valid path returned by getcwd would fit into 1 byte, so reject the + size early and return NULL with errno set to ERANGE. This change is + prompted by CVE-2021-3999, which describes a single byte buffer + underflow and overflow when all of the following conditions are met: + + - The buffer size (i.e. the second argument of getcwd) is 1 byte + - The current working directory is too long + - '/' is also mounted on the current working directory + + Sequence of events: + + - In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG + because the linux kernel checks for name length before it checks + buffer size + + - The code falls back to the generic getcwd in sysdeps/posix + + - In the generic func, the buf[0] is set to '\0' on line 250 + + - this while loop on line 262 is bypassed: + + while (!(thisdev == rootdev && thisino == rootino)) + + since the rootfs (/) is bind mounted onto the directory and the flow + goes on to line 449, where it puts a '/' in the byte before the + buffer. + + - Finally on line 458, it moves 2 bytes (the underflowed byte and the + '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. + + - buf is returned on line 469 and errno is not set. + + This resolves BZ #28769. + + Reviewed-by: Andreas Schwab + Reviewed-by: Adhemerval Zanella + Signed-off-by: Qualys Security Advisory + Signed-off-by: Siddhesh Poyarekar + (cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e) + +diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c +index 13680026ffecbd51..b6984a382c3e1711 100644 +--- a/sysdeps/posix/getcwd.c ++++ b/sysdeps/posix/getcwd.c +@@ -187,6 +187,13 @@ __getcwd_generic (char *buf, size_t size) + size_t allocated = size; + size_t used; + ++ /* A size of 1 byte is never useful. */ ++ if (allocated == 1) ++ { ++ __set_errno (ERANGE); ++ return NULL; ++ } ++ + #if HAVE_MINIMALLY_WORKING_GETCWD + /* If AT_FDCWD is not defined, the algorithm below is O(N**2) and + this is much slower than the system getcwd (at least on +diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile +index d30d21898b402d1e..cdc01a3f023ec09a 100644 +--- a/sysdeps/unix/sysv/linux/Makefile ++++ b/sysdeps/unix/sysv/linux/Makefile +@@ -342,7 +342,12 @@ sysdep_routines += xstatconv internal_statvfs \ + + sysdep_headers += bits/fcntl-linux.h + +-tests += tst-fallocate tst-fallocate64 tst-o_path-locks ++tests += \ ++ tst-fallocate \ ++ tst-fallocate64 \ ++ tst-getcwd-smallbuff \ ++ tst-o_path-locks \ ++# tests + endif + + ifeq ($(subdir),elf) +diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +new file mode 100644 +index 0000000000000000..d460d6e7662dc5e4 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +@@ -0,0 +1,241 @@ ++/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow ++ buffer when the CWD is too long and is also a mount target of /. See bug ++ #28769 or CVE-2021-3999 for more context. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static char *base; ++#define BASENAME "tst-getcwd-smallbuff" ++#define MOUNT_NAME "mpoint" ++static int sockfd[2]; ++ ++static void ++do_cleanup (void) ++{ ++ support_chdir_toolong_temp_directory (base); ++ TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0); ++ free (base); ++} ++ ++static void ++send_fd (const int sock, const int fd) ++{ ++ struct msghdr msg = {0}; ++ union ++ { ++ struct cmsghdr hdr; ++ char buf[CMSG_SPACE (sizeof (int))]; ++ } cmsgbuf = {0}; ++ struct cmsghdr *cmsg; ++ struct iovec vec; ++ char ch = 'A'; ++ ssize_t n; ++ ++ msg.msg_control = &cmsgbuf.buf; ++ msg.msg_controllen = sizeof (cmsgbuf.buf); ++ ++ cmsg = CMSG_FIRSTHDR (&msg); ++ cmsg->cmsg_len = CMSG_LEN (sizeof (int)); ++ cmsg->cmsg_level = SOL_SOCKET; ++ cmsg->cmsg_type = SCM_RIGHTS; ++ memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd)); ++ ++ vec.iov_base = &ch; ++ vec.iov_len = 1; ++ msg.msg_iov = &vec; ++ msg.msg_iovlen = 1; ++ ++ while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR); ++ ++ TEST_VERIFY_EXIT (n == 1); ++} ++ ++static int ++recv_fd (const int sock) ++{ ++ struct msghdr msg = {0}; ++ union ++ { ++ struct cmsghdr hdr; ++ char buf[CMSG_SPACE(sizeof(int))]; ++ } cmsgbuf = {0}; ++ struct cmsghdr *cmsg; ++ struct iovec vec; ++ ssize_t n; ++ char ch = '\0'; ++ int fd = -1; ++ ++ vec.iov_base = &ch; ++ vec.iov_len = 1; ++ msg.msg_iov = &vec; ++ msg.msg_iovlen = 1; ++ ++ msg.msg_control = &cmsgbuf.buf; ++ msg.msg_controllen = sizeof (cmsgbuf.buf); ++ ++ while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR); ++ if (n != 1 || ch != 'A') ++ return -1; ++ ++ cmsg = CMSG_FIRSTHDR (&msg); ++ if (cmsg == NULL) ++ return -1; ++ if (cmsg->cmsg_type != SCM_RIGHTS) ++ return -1; ++ memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd)); ++ if (fd < 0) ++ return -1; ++ return fd; ++} ++ ++static int ++child_func (void * const arg) ++{ ++ xclose (sockfd[0]); ++ const int sock = sockfd[1]; ++ char ch; ++ ++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); ++ TEST_VERIFY_EXIT (ch == '1'); ++ ++ if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL)) ++ FAIL_EXIT1 ("mount failed: %m\n"); ++ const int fd = xopen ("mpoint", ++ O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0); ++ ++ send_fd (sock, fd); ++ xclose (fd); ++ ++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); ++ TEST_VERIFY_EXIT (ch == 'a'); ++ ++ xclose (sock); ++ return 0; ++} ++ ++static void ++update_map (char * const mapping, const char * const map_file) ++{ ++ const size_t map_len = strlen (mapping); ++ ++ const int fd = xopen (map_file, O_WRONLY, 0); ++ xwrite (fd, mapping, map_len); ++ xclose (fd); ++} ++ ++static void ++proc_setgroups_write (const long child_pid, const char * const str) ++{ ++ const size_t str_len = strlen(str); ++ ++ char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)]; ++ ++ snprintf (setgroups_path, sizeof (setgroups_path), ++ "/proc/%ld/setgroups", child_pid); ++ ++ const int fd = open (setgroups_path, O_WRONLY); ++ ++ if (fd < 0) ++ { ++ TEST_VERIFY_EXIT (errno == ENOENT); ++ FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid); ++ } ++ ++ xwrite (fd, str, str_len); ++ xclose(fd); ++} ++ ++static char child_stack[1024 * 1024]; ++ ++int ++do_test (void) ++{ ++ base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ xmkdir (MOUNT_NAME, S_IRWXU); ++ atexit (do_cleanup); ++ ++ TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0); ++ pid_t child_pid = xclone (child_func, NULL, child_stack, ++ sizeof (child_stack), ++ CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD); ++ ++ xclose (sockfd[1]); ++ const int sock = sockfd[0]; ++ ++ char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)]; ++ char map_buf[sizeof ("0 1") + INT_STRLEN_BOUND (long)]; ++ ++ snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map", ++ (long) child_pid); ++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid()); ++ update_map (map_buf, map_path); ++ ++ proc_setgroups_write ((long) child_pid, "deny"); ++ snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map", ++ (long) child_pid); ++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid()); ++ update_map (map_buf, map_path); ++ ++ TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1); ++ const int fd = recv_fd (sock); ++ TEST_VERIFY_EXIT (fd >= 0); ++ TEST_VERIFY_EXIT (fchdir (fd) == 0); ++ ++ static char buf[2 * 10 + 1]; ++ memset (buf, 'A', sizeof (buf)); ++ ++ /* Finally, call getcwd and check if it resulted in a buffer underflow. */ ++ char * cwd = getcwd (buf + sizeof (buf) / 2, 1); ++ TEST_VERIFY (cwd == NULL); ++ TEST_VERIFY (errno == ERANGE); ++ ++ for (int i = 0; i < sizeof (buf); i++) ++ if (buf[i] != 'A') ++ { ++ printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]); ++ support_record_failure (); ++ } ++ ++ TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1); ++ xclose (sock); ++ TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid); ++ ++ return 0; ++} ++ ++#define CLEANUP_HANDLER do_cleanup ++#include diff --git a/glibc-upstream-2.34-88.patch b/glibc-upstream-2.34-88.patch new file mode 100644 index 0000000..d741c3c --- /dev/null +++ b/glibc-upstream-2.34-88.patch @@ -0,0 +1,28 @@ +commit d084965adc7baa8ea804427cccf973cea556d697 +Author: Siddhesh Poyarekar +Date: Mon Jan 24 21:36:41 2022 +0530 + + realpath: Avoid overwriting preexisting error (CVE-2021-3998) + + Set errno and failure for paths that are too long only if no other error + occurred earlier. + + Related: BZ #28770 + + Reviewed-by: Andreas Schwab + Signed-off-by: Siddhesh Poyarekar + (cherry picked from commit 84d2d0fe20bdf94feed82b21b4d7d136db471f03) + +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c +index 7a23a51b3a395eb3..e2d4244fc7b8fa25 100644 +--- a/stdlib/canonicalize.c ++++ b/stdlib/canonicalize.c +@@ -404,7 +404,7 @@ error: + { + if (dest - rname <= get_path_max ()) + rname = strcpy (resolved, rname); +- else ++ else if (!failed) + { + failed = true; + __set_errno (ENAMETOOLONG); diff --git a/glibc-upstream-2.34-89.patch b/glibc-upstream-2.34-89.patch new file mode 100644 index 0000000..37ddc35 --- /dev/null +++ b/glibc-upstream-2.34-89.patch @@ -0,0 +1,47 @@ +commit 3438bbca90895d32825a52e31a77dc44d273c1c1 +Author: Florian Weimer +Date: Mon Jan 24 18:14:24 2022 +0100 + + Linux: Detect user namespace support in io/tst-getcwd-smallbuff + + Otherwise the test fails with certain container runtimes. + + Reviewed-by: Siddhesh Poyarekar + (cherry picked from commit 5b8e7980c5dabd9aaefeba4f0208baa8cf7653ee) + +diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +index d460d6e7662dc5e4..55362f6060a2b3be 100644 +--- a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c ++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -188,6 +189,23 @@ do_test (void) + xmkdir (MOUNT_NAME, S_IRWXU); + atexit (do_cleanup); + ++ /* Check whether user namespaces are supported. */ ++ { ++ pid_t pid = xfork (); ++ if (pid == 0) ++ { ++ if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0) ++ _exit (EXIT_UNSUPPORTED); ++ else ++ _exit (0); ++ } ++ int status; ++ xwaitpid (pid, &status, 0); ++ TEST_VERIFY_EXIT (WIFEXITED (status)); ++ if (WEXITSTATUS (status) != 0) ++ return WEXITSTATUS (status); ++ } ++ + TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0); + pid_t child_pid = xclone (child_func, NULL, child_stack, + sizeof (child_stack), diff --git a/glibc.spec b/glibc.spec index 9fc6964..2677cb3 100644 --- a/glibc.spec +++ b/glibc.spec @@ -148,7 +148,7 @@ end \ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: 20%{?dist} +Release: 21%{?dist} # In general, GPLv2+ is used by programs, LGPLv2+ is used for # libraries. @@ -338,6 +338,22 @@ Patch138: glibc-rh2040657-9.patch Patch139: glibc-rh2040657-10.patch Patch140: glibc-rh2040657-11.patch Patch141: glibc-rh2040657-12.patch +Patch142: glibc-upstream-2.34-74.patch +Patch143: glibc-upstream-2.34-75.patch +Patch144: glibc-upstream-2.34-76.patch +Patch145: glibc-upstream-2.34-77.patch +Patch146: glibc-upstream-2.34-78.patch +Patch147: glibc-upstream-2.34-79.patch +Patch148: glibc-upstream-2.34-80.patch +Patch149: glibc-upstream-2.34-81.patch +Patch150: glibc-upstream-2.34-82.patch +Patch151: glibc-upstream-2.34-83.patch +Patch152: glibc-upstream-2.34-84.patch +Patch153: glibc-upstream-2.34-85.patch +Patch154: glibc-upstream-2.34-86.patch +Patch155: glibc-upstream-2.34-87.patch +Patch156: glibc-upstream-2.34-88.patch +Patch157: glibc-upstream-2.34-89.patch ############################################################################## # Continued list of core "glibc" package information: @@ -2381,6 +2397,26 @@ fi %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared %changelog +* Mon Jan 24 2022 Florian Weimer - 2.34-21 +- Sync with upstream branch release/2.34/master, + commit 3438bbca90895d32825a52e31a77dc44d273c1c1: +- Linux: Detect user namespace support in io/tst-getcwd-smallbuff +- realpath: Avoid overwriting preexisting error +- CVE-2021-3999: getcwd: Set errno to ERANGE for size == 1 +- tst-realpath-toolong: Fix hurd build +- CVE-2021-3998: realpath: ENAMETOOLONG for result larger than PATH_MAX +- stdlib: Fix formatting of tests list in Makefile +- stdlib: Sort tests in Makefile +- support: Add helpers to create paths longer than PATH_MAX +- powerpc: Fix unrecognized instruction errors with recent binutils +- x86: use default cache size if it cannot be determined [BZ #28784] +- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) +- sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) +- CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542) +- socket: Add the __sockaddr_un_set function +- Disable debuginfod in printer tests [BZ #28757] +- Update syscall lists for Linux 5.16 + * Wed Jan 19 2022 Florian Weimer - 2.34-20 - More reliable CPU compatibility diagnostics (#2040657)